Chef Workstations:
A workstation is a computer that is configured to the author, test and maintain cookbooks. These cookbooks are then uploaded to Chef server. It is also used to bootstrapping a node that installs the chef-client on nodes.
Setting up a Workstation:
Download the latest version of Chef Development Kit (0.19.6 at the time of writing).
wget https://packages.chef.io/stable/el/7/chefdk-0.19.6-1.el7.x86_64.rpm
Install ChefDK.
rpm -ivh chefdk-*.rpm
Verify the components of Chef Development Kit.
chef verify
Output:
Running verification for component 'berkshelf' Running verification for component 'test-kitchen' Running verification for component 'tk-policyfile-provisioner' Running verification for component 'chef-client' Running verification for component 'chef-dk' Running verification for component 'chef-provisioning' Running verification for component 'chefspec' Running verification for component 'generated-cookbooks-pass-chefspec' Running verification for component 'rubocop' Running verification for component 'fauxhai' Running verification for component 'knife-spork' Running verification for component 'kitchen-vagrant' Running verification for component 'package installation' Running verification for component 'openssl' Running verification for component 'inspec' Running verification for component 'delivery-cli' Running verification for component 'git' Running verification for component 'opscode-pushy-client' Running verification for component 'chef-sugar' ................................................................. --------------------------------------------- Verification of component 'kitchen-vagrant' succeeded. Verification of component 'openssl' succeeded. Verification of component 'delivery-cli' succeeded. Verification of component 'test-kitchen' succeeded. Verification of component 'rubocop' succeeded. Verification of component 'opscode-pushy-client' succeeded. Verification of component 'berkshelf' succeeded. Verification of component 'fauxhai' succeeded. Verification of component 'inspec' succeeded. Verification of component 'tk-policyfile-provisioner' succeeded. Verification of component 'chefspec' succeeded. Verification of component 'knife-spork' succeeded. Verification of component 'git' succeeded. Verification of component 'chef-dk' succeeded. Verification of component 'chef-sugar' succeeded. Verification of component 'chef-client' succeeded. Verification of component 'generated-cookbooks-pass-chefspec' succeeded. Verification of component 'package installation' succeeded. Verification of component 'chef-provisioning' succeeded.
Some of the users may want to set Ruby version default to Ruby version installed with Chef. Check the current Ruby location.
which ruby
This command will yield you a result if your machine has Ruby installed. Run the below command to load CheDK variables to user profile file.
echo 'eval "$(chef shell-init bash)"' >> ~/.bash_profile
Load the user profile.
. ~/.bash_profile
Now, check the Ruby. You should get the similar output.
# which ruby /opt/chefdk/embedded/bin/ruby
Install git:
Before generating chef-repo, you must install an open source version control tool called git on the machine.
yum -y install git
One the installation is complete. Generate Chef-Repo using “chef generate repo” command.
cd ~ chef generate repo chef-repo
This command places the basic chef repo structure into a directory called “chef-repo” in your home directory.
ls -al ~/chef-repo/
Output:
total 32 drwxr-xr-x. 8 root root 4096 Nov 12 18:30 . dr-xr-x---. 5 root root 4096 Nov 12 18:29 .. -rw-r--r--. 1 root root 1133 Nov 12 18:29 chefignore -rw-r--r--. 1 root root 255 Nov 12 18:29 .chef-repo.txt drwxr-xr-x. 3 root root 36 Nov 12 18:29 cookbooks drwxr-xr-x. 3 root root 36 Nov 12 18:29 data_bags drwxr-xr-x. 2 root root 41 Nov 12 18:29 environments drwxr-xr-x. 7 root root 4096 Nov 12 18:29 .git -rw-r--r--. 1 root root 106 Nov 12 18:29 .gitignore -rw-r--r--. 1 root root 70 Nov 12 18:29 LICENSE -rw-r--r--. 1 root root 1499 Nov 12 18:29 README.md drwxr-xr-x. 2 root root 41 Nov 12 18:29 roles
Add version control:
Setup a user with the email address to begin the git configuration. Replace the “green” colored values according to your environment.
git config --global user.name "admin" git config --global user.email "[email protected]"
Go to the chef-repo directory and initialize it.
cd ~/chef-repo/ git init
Now, let’s create a hidden directory called “.chef” under the chef-repo directory. This hidden directory will hold the RSA keys that we created on the Chef server.
mkdir -p ~/chef-repo/.chef
Since this hidden directory stores the RSA keys, it should not be exposed to the public. To do that we will add this directory to “.gitignore” to prevent uploading the contents to GitHub.
echo '.chef' >> ~/chef-repo/.gitignore
Add and commit all existing files.
cd ~/chef-repo/ git add . git commit -m "initial commit"
Check the status of the directory.
git status
Output:
nothing to commit, working directory clean
Copy the RSA Keys to the Workstation:
The RSA keys (.pem) generated when setting up the Chef Server will now need to be placed on the workstation. Place it under “~/chef-repo/.chef” directory.
scp -pr root@chefserver:/etc/chef/admin.pem ~/chef-repo/.chef/ scp -pr root@chefserver:/etc/chef/itzgeek-validator.pem ~/chef-repo/.chef/
Create knife.rb File:
Knife is a command line interface for between a local chef-repo and the Chef server. To make the knife to work with your chef environment, we need to configure it by creating knife.rb in the “~/chef-repo/.chef/” directory.
Now, create and edit the knife.rb file using your favorite editor.
vi ~/chef-repo/.chef/knife.rb
In this file, paste the following information:
current_dir = File.dirname(__FILE__) log_level :info log_location STDOUT node_name "admin" client_key "#{current_dir}/admin.pem" validation_client_name "itzgeek-validator" validation_key "#{current_dir}/itzgeek-validator.pem" chef_server_url "https://chefserver.itzgeek.local/organizations/itzgeek" syntax_check_cache_path "#{ENV['HOME']}/.chef/syntaxcache" cookbook_path ["#{current_dir}/../cookbooks"]
Adjust the following items to suit for your infrastructure.
node_name: This the username with permission to authenticate to the Chef server. Username should match with the user that we created on the Chef server.
client_key: The location of the file that contains user key that we copied over from the Chef server.
validation_client_name: This should be your organization’s short name followed by -validator.
validation_key: The location of the file that contains validation key that we copied over from the Chef server. This key is used when a chef-client is registered with the Chef server.
chef_server_url: The URL of the Chef server. It should begin with https://, followed by IP address or FQDN of Chef server, organization name at the end just after /organizations/.
Testing Knife:
Now, test the configuration by running knife client list command. Make sure you are in ~/chef-repo/ directory.
cd ~/chef-repo/ knife client list
You may get an error like below on your first attempt:
ERROR: SSL Validation failure connecting to host: chefserver.itzgeek.local - SSL_connect returned=1 errno=0 state=error: certificate verify failed ERROR: Could not establish a secure connection to the server. Use `knife ssl check` to troubleshoot your SSL configuration. If your Chef Server uses a self-signed certificate, you can use `knife ssl fetch` to make knife trust the server's certificates. Original Exception: OpenSSL::SSL::SSLError: SSL Error connecting to https://chefserver.itzgeek.local/organizations/itzgeek/clients - SSL_connect returned=1 errno=0 state=error: certificate verify failed
To resolve this issue, we need to fetch the Chef server’s SSL certificate on our workstation beforehand running the above command.
knife ssl fetch
This command will add the Chef server’s certificate file to trusted certificate directory.
WARNING: Certificates from chefserver.itzgeek.local will be fetched and placed in your trusted_cert directory (/root/chef-repo/.chef/trusted_certs). Knife has no means to verify these are the correct certificates. You should verify the authenticity of these certificates after downloading. Adding certificate for chefserver.itzgeek.local in /root/chef-repo/.chef/trusted_certs/chefserver_itzgeek_local.crt
Once the SSL certificate has been fetched, run the previous command to test the knife configuration.
knife client list
Output:
itzgeek-validator
The output confirms the verification has been completed successfully.
